Project

General

Profile

IDMEF File Zoom

Whole Diagram

Alert


The File Class

The File class provides specific information about a file or other file-like object that has been created, deleted, or modified on the target. The description can provide either the file settings prior to the event or the file settings at the time of the event, as specified using the "category" attribute.

The File class is composed of eleven aggregate classes:

  • name

Exactly one. STRING. The name of the file to which the alert applies, not including the path to the file.

  • path

Exactly one. STRING. The full path to the file, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.

For Windows systems, the path should be specified using the Universal Naming Convention (UNC) for remote files, and using a drive letter for local files (e.g., "C:\boot.ini"). For Unix systems, paths on network file systems should use the name of the mounted resource instead of the local mount point (e.g., "fileserver:/usr/local/bin/foo"). The mount point can be provided using the <Linkage> element.

  • create-time

Zero or one. DATETIME. Time the file was created. Note that this is not the Unix "st_ctime" file attribute (which is not file creation time). The Unix "st_ctime" attribute is contained in the "Inode" class.

  • modify-time

Zero or one. DATETIME. Time the file was last modified.

  • access-time

Zero or one. DATETIME. Time the file was last accessed.

  • data-size

Zero or one. INTEGER. The size of the data, in bytes. Typically what is meant when referring to file size. On Unix UFS file systems, this value corresponds to stat.st_size. On Windows NTFS, this value corresponds to Valid Data Length (VDL).

  • disk-size

Zero or one. INTEGER. The physical space on disk consumed by the file, in bytes. On Unix UFS file systems, this value corresponds to 512 * stat.st_blocks. On Windows NTFS, this value corresponds to End of File (EOF).

  • FileAccess

Zero or more. Access permissions on the file.

  • Linkage

Zero or more. File system objects to which this file is linked (other references for the file).

  • Inode

Zero or one. Inode information for this file (relevant to Unix).

  • Checksum

Zero or more. Checksum information for this file.

The File class has four attributes:

  • ident

Optional. A unique identifier for this file.

  • category

Required. The context for the information being provided. The permitted values are shown below. There is no default value.

Rank Keyword Description
0 current The file information is from after the reported
1 original The file information is from before the reported change
  • fstype

Optional. The type of file system the file resides on. This attribute governs how path names and other attributes are interpreted.

Rank Keyword Description
0 ufs Berkeley Unix Fast File System
1 efs Linux "efs" file system
2 nfs Network File System
3 afs Andrew File System
4 ntfs Windows NT File System
5 fat16 16-bit Windows FAT File System
6 fat32 32-bit Windows FAT File System
7 pcfs "PC" (MS-DOS) file system on CD-ROM
8 joliet Joliet CD-ROM file system
9 iso9660 ISO 9660 CD-ROM file system
  • file-type

Optional. The type of file, as a mime-type.

The FileAccess Class

The FileAccess class represents the access permissions on a file. The representation is intended to be useful across operating systems.

The FileAccess class is composed of two aggregate classes:

  • UserId

Exactly one. The user (or group) to which these permissions apply. The value of the "type" attribute must be "user-privs", "group-privs", or "other-privs" as appropriate. Other values for "type" MUST NOT be used in this context.

  • Permission

One or more. ENUM. Level of access allowed. The permitted values are shown below. There is no default value.

Rank Keyword Description
0 noAccess No access at all is allowed for this user
1 read This user has read access to the file
2 write This user has write access to the file
3 execute This user has the ability to execute the file
4 search This user has the ability to search this file (applies to "execute" permission on directories in Unix)
5 delete This user has the ability to delete this file
6 executeAs This user has the ability to execute this file as another user
7 changePermissions This user has the ability to change the access permissions on this file
8 takeOwnership This user has the ability to take ownership of this file

The "changePermissions" and "takeOwnership" strings represent those concepts in Windows. On Unix, the owner of the file always has "changePermissions" access, even if no other access is allowed for that user. "Full Control" in Windows is represented by enumerating the permissions it contains. The "executeAs" string represents the set-user-id and set-group-id features in Unix.

The Linkage Class

The Linkage class represents file system connections between the file described in the <File> element and other objects in the file system. For example, if the <File> element is a symbolic link or shortcut, then the <Linkage> element should contain the name of the object the link points to. Further information can be provided about the object in the <Linkage> element with another <File> element, if appropriate.

The Linkage class is composed of three aggregate classes:

  • name

Exactly one. STRING. The name of the file system object, not including the path.

  • path

Exactly one. STRING. The full path to the file system object, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.

  • File

Exactly one. A <File> element may be used in place of the <name> and <path> elements if additional information about the file is to be included.

The Linkage class has one attribute:

  • category

The type of object that the link describes. The permitted values are shown below. There is no default value.

Rank Keyword Description
0 hard-link The <name> element represents another name for this file. This information may be more easily obtainable on NTFS file systems than others.
1 mount-point An alias for the directory specified by the parent's <name> and <path> elements.
2 reparse-point Applies only to Windows; excludes symbolic links and mount points, which are specific types of reparse points.
3 shortcut The file represented by a Windows "shortcut". A shortcut is distinguished from a symbolic link because of the difference in their contents, which may be of importance to the manager.
4 stream An Alternate Data Stream (ADS) in Windows; a fork on MacOS. Separate file system entity that is considered an extension of the main <File>.
5 symbolic-link The <name> element represents the file to which the link points.

The Inode Class

The Inode class is used to represent the additional information contained in a Unix file system i-node.

The Inode class is composed of six aggregate classes:

  • change-time

Zero or one. DATETIME. The time of the last inode change, given by the st_ctime element of "struct stat".

  • number

Zero or one. INTEGER. The inode number.

  • major-device

Zero or one. INTEGER. The major device number of the device the file resides on.

  • minor-device

Zero or one. INTEGER. The minor device number of the device the file resides on.

  • c-major-device

Zero or one. INTEGER. The major device of the file itself, if it is a character special device.

  • c-minor-device

Zero or one. INTEGER. The minor device of the file itself, if it is a character special device.

Note that <number>, <major-device>, and <minor-device> must be given together, and the <c-major-device> and <c-minor-device> must be given together.

The Checksum Class

The Checksum class represents checksum information associated with the file. This checksum information can be provided by file integrity checkers, among others.

The checksum class is composed of two aggregate classes:

  • value

Exactly one. STRING. The value of the checksum.

  • key

Zero or one. STRING. The key to the checksum, if appropriate.

The Checksum class has one attribute:

  • algorithm

The cryptographic algorithm used for the computation of the checksum. The permitted values are shown below. There is no default value.

Rank Keyword Description
0 MD4 The MD4 algorithm.
1 MD5 The MD5 algorithm.
2 SHA1 The SHA1 algorithm.
3 SHA2-256 The SHA2 algorithm with 256 bits length.
4 SHA2-384 The SHA2 algorithm with 384 bits length.
5 SHA2-512 The SHA2 algorithm with 512 bits length.
6 CRC-32 The CRC algorithm with 32 bits length.
7 Haval The Haval algorithm.
8 Tiger The Tiger algorithm.
9 Gost The Gost algorithm.

File Zoom.svg View - IDMEF UML Diagram File Zoom (101 KB) Vérène Houdebine, 05/07/2015 11:19 AM

File Zoom.svg View - IDMEF UML Diagram File Zoom (69.5 KB) Sélim Menouar, 06/04/2015 12:03 PM